net/netfilter/nft_meta.c at v5.3-rc8

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / netfilter / nft_meta.c
at v5.3-rc8 668 lines 15 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
  4 * Copyright (c) 2014 Intel Corporation
  5 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
  6 *
  7 * Development of this code funded by Astaro AG (http://www.astaro.com/)
  8 */
  9
 10#include <linux/kernel.h>
 11#include <linux/netlink.h>
 12#include <linux/netfilter.h>
 13#include <linux/netfilter/nf_tables.h>
 14#include <linux/in.h>
 15#include <linux/ip.h>
 16#include <linux/ipv6.h>
 17#include <linux/smp.h>
 18#include <linux/static_key.h>
 19#include <net/dst.h>
 20#include <net/sock.h>
 21#include <net/tcp_states.h> /* for TCP_TIME_WAIT */
 22#include <net/netfilter/nf_tables.h>
 23#include <net/netfilter/nf_tables_core.h>
 24#include <net/netfilter/nft_meta.h>
 25#include <net/netfilter/nf_tables_offload.h>
 26
 27#include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */
 28
 29static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state);
 30
 31void nft_meta_get_eval(const struct nft_expr *expr,
 32		       struct nft_regs *regs,
 33		       const struct nft_pktinfo *pkt)
 34{
 35	const struct nft_meta *priv = nft_expr_priv(expr);
 36	const struct sk_buff *skb = pkt->skb;
 37	const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
 38	struct sock *sk;
 39	u32 *dest = &regs->data[priv->dreg];
 40
 41	switch (priv->key) {
 42	case NFT_META_LEN:
 43		*dest = skb->len;
 44		break;
 45	case NFT_META_PROTOCOL:
 46		nft_reg_store16(dest, (__force u16)skb->protocol);
 47		break;
 48	case NFT_META_NFPROTO:
 49		nft_reg_store8(dest, nft_pf(pkt));
 50		break;
 51	case NFT_META_L4PROTO:
 52		if (!pkt->tprot_set)
 53			goto err;
 54		nft_reg_store8(dest, pkt->tprot);
 55		break;
 56	case NFT_META_PRIORITY:
 57		*dest = skb->priority;
 58		break;
 59	case NFT_META_MARK:
 60		*dest = skb->mark;
 61		break;
 62	case NFT_META_IIF:
 63		*dest = in ? in->ifindex : 0;
 64		break;
 65	case NFT_META_OIF:
 66		*dest = out ? out->ifindex : 0;
 67		break;
 68	case NFT_META_IIFNAME:
 69		strncpy((char *)dest, in ? in->name : "", IFNAMSIZ);
 70		break;
 71	case NFT_META_OIFNAME:
 72		strncpy((char *)dest, out ? out->name : "", IFNAMSIZ);
 73		break;
 74	case NFT_META_IIFTYPE:
 75		if (in == NULL)
 76			goto err;
 77		nft_reg_store16(dest, in->type);
 78		break;
 79	case NFT_META_OIFTYPE:
 80		if (out == NULL)
 81			goto err;
 82		nft_reg_store16(dest, out->type);
 83		break;
 84	case NFT_META_SKUID:
 85		sk = skb_to_full_sk(skb);
 86		if (!sk || !sk_fullsock(sk) ||
 87		    !net_eq(nft_net(pkt), sock_net(sk)))
 88			goto err;
 89
 90		read_lock_bh(&sk->sk_callback_lock);
 91		if (sk->sk_socket == NULL ||
 92		    sk->sk_socket->file == NULL) {
 93			read_unlock_bh(&sk->sk_callback_lock);
 94			goto err;
 95		}
 96
 97		*dest =	from_kuid_munged(&init_user_ns,
 98				sk->sk_socket->file->f_cred->fsuid);
 99		read_unlock_bh(&sk->sk_callback_lock);
100		break;
101	case NFT_META_SKGID:
102		sk = skb_to_full_sk(skb);
103		if (!sk || !sk_fullsock(sk) ||
104		    !net_eq(nft_net(pkt), sock_net(sk)))
105			goto err;
106
107		read_lock_bh(&sk->sk_callback_lock);
108		if (sk->sk_socket == NULL ||
109		    sk->sk_socket->file == NULL) {
110			read_unlock_bh(&sk->sk_callback_lock);
111			goto err;
112		}
113		*dest =	from_kgid_munged(&init_user_ns,
114				 sk->sk_socket->file->f_cred->fsgid);
115		read_unlock_bh(&sk->sk_callback_lock);
116		break;
117#ifdef CONFIG_IP_ROUTE_CLASSID
118	case NFT_META_RTCLASSID: {
119		const struct dst_entry *dst = skb_dst(skb);
120
121		if (dst == NULL)
122			goto err;
123		*dest = dst->tclassid;
124		break;
125	}
126#endif
127#ifdef CONFIG_NETWORK_SECMARK
128	case NFT_META_SECMARK:
129		*dest = skb->secmark;
130		break;
131#endif
132	case NFT_META_PKTTYPE:
133		if (skb->pkt_type != PACKET_LOOPBACK) {
134			nft_reg_store8(dest, skb->pkt_type);
135			break;
136		}
137
138		switch (nft_pf(pkt)) {
139		case NFPROTO_IPV4:
140			if (ipv4_is_multicast(ip_hdr(skb)->daddr))
141				nft_reg_store8(dest, PACKET_MULTICAST);
142			else
143				nft_reg_store8(dest, PACKET_BROADCAST);
144			break;
145		case NFPROTO_IPV6:
146			nft_reg_store8(dest, PACKET_MULTICAST);
147			break;
148		case NFPROTO_NETDEV:
149			switch (skb->protocol) {
150			case htons(ETH_P_IP): {
151				int noff = skb_network_offset(skb);
152				struct iphdr *iph, _iph;
153
154				iph = skb_header_pointer(skb, noff,
155							 sizeof(_iph), &_iph);
156				if (!iph)
157					goto err;
158
159				if (ipv4_is_multicast(iph->daddr))
160					nft_reg_store8(dest, PACKET_MULTICAST);
161				else
162					nft_reg_store8(dest, PACKET_BROADCAST);
163
164				break;
165			}
166			case htons(ETH_P_IPV6):
167				nft_reg_store8(dest, PACKET_MULTICAST);
168				break;
169			default:
170				WARN_ON_ONCE(1);
171				goto err;
172			}
173			break;
174		default:
175			WARN_ON_ONCE(1);
176			goto err;
177		}
178		break;
179	case NFT_META_CPU:
180		*dest = raw_smp_processor_id();
181		break;
182	case NFT_META_IIFGROUP:
183		if (in == NULL)
184			goto err;
185		*dest = in->group;
186		break;
187	case NFT_META_OIFGROUP:
188		if (out == NULL)
189			goto err;
190		*dest = out->group;
191		break;
192#ifdef CONFIG_CGROUP_NET_CLASSID
193	case NFT_META_CGROUP:
194		sk = skb_to_full_sk(skb);
195		if (!sk || !sk_fullsock(sk) ||
196		    !net_eq(nft_net(pkt), sock_net(sk)))
197			goto err;
198		*dest = sock_cgroup_classid(&sk->sk_cgrp_data);
199		break;
200#endif
201	case NFT_META_PRANDOM: {
202		struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
203		*dest = prandom_u32_state(state);
204		break;
205	}
206#ifdef CONFIG_XFRM
207	case NFT_META_SECPATH:
208		nft_reg_store8(dest, secpath_exists(skb));
209		break;
210#endif
211	case NFT_META_IIFKIND:
212		if (in == NULL || in->rtnl_link_ops == NULL)
213			goto err;
214		strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
215		break;
216	case NFT_META_OIFKIND:
217		if (out == NULL || out->rtnl_link_ops == NULL)
218			goto err;
219		strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
220		break;
221	default:
222		WARN_ON(1);
223		goto err;
224	}
225	return;
226
227err:
228	regs->verdict.code = NFT_BREAK;
229}
230EXPORT_SYMBOL_GPL(nft_meta_get_eval);
231
232void nft_meta_set_eval(const struct nft_expr *expr,
233		       struct nft_regs *regs,
234		       const struct nft_pktinfo *pkt)
235{
236	const struct nft_meta *meta = nft_expr_priv(expr);
237	struct sk_buff *skb = pkt->skb;
238	u32 *sreg = &regs->data[meta->sreg];
239	u32 value = *sreg;
240	u8 value8;
241
242	switch (meta->key) {
243	case NFT_META_MARK:
244		skb->mark = value;
245		break;
246	case NFT_META_PRIORITY:
247		skb->priority = value;
248		break;
249	case NFT_META_PKTTYPE:
250		value8 = nft_reg_load8(sreg);
251
252		if (skb->pkt_type != value8 &&
253		    skb_pkt_type_ok(value8) &&
254		    skb_pkt_type_ok(skb->pkt_type))
255			skb->pkt_type = value8;
256		break;
257	case NFT_META_NFTRACE:
258		value8 = nft_reg_load8(sreg);
259
260		skb->nf_trace = !!value8;
261		break;
262#ifdef CONFIG_NETWORK_SECMARK
263	case NFT_META_SECMARK:
264		skb->secmark = value;
265		break;
266#endif
267	default:
268		WARN_ON(1);
269	}
270}
271EXPORT_SYMBOL_GPL(nft_meta_set_eval);
272
273const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
274	[NFTA_META_DREG]	= { .type = NLA_U32 },
275	[NFTA_META_KEY]		= { .type = NLA_U32 },
276	[NFTA_META_SREG]	= { .type = NLA_U32 },
277};
278EXPORT_SYMBOL_GPL(nft_meta_policy);
279
280int nft_meta_get_init(const struct nft_ctx *ctx,
281		      const struct nft_expr *expr,
282		      const struct nlattr * const tb[])
283{
284	struct nft_meta *priv = nft_expr_priv(expr);
285	unsigned int len;
286
287	priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
288	switch (priv->key) {
289	case NFT_META_PROTOCOL:
290	case NFT_META_IIFTYPE:
291	case NFT_META_OIFTYPE:
292		len = sizeof(u16);
293		break;
294	case NFT_META_NFPROTO:
295	case NFT_META_L4PROTO:
296	case NFT_META_LEN:
297	case NFT_META_PRIORITY:
298	case NFT_META_MARK:
299	case NFT_META_IIF:
300	case NFT_META_OIF:
301	case NFT_META_SKUID:
302	case NFT_META_SKGID:
303#ifdef CONFIG_IP_ROUTE_CLASSID
304	case NFT_META_RTCLASSID:
305#endif
306#ifdef CONFIG_NETWORK_SECMARK
307	case NFT_META_SECMARK:
308#endif
309	case NFT_META_PKTTYPE:
310	case NFT_META_CPU:
311	case NFT_META_IIFGROUP:
312	case NFT_META_OIFGROUP:
313#ifdef CONFIG_CGROUP_NET_CLASSID
314	case NFT_META_CGROUP:
315#endif
316		len = sizeof(u32);
317		break;
318	case NFT_META_IIFNAME:
319	case NFT_META_OIFNAME:
320	case NFT_META_IIFKIND:
321	case NFT_META_OIFKIND:
322		len = IFNAMSIZ;
323		break;
324	case NFT_META_PRANDOM:
325		prandom_init_once(&nft_prandom_state);
326		len = sizeof(u32);
327		break;
328#ifdef CONFIG_XFRM
329	case NFT_META_SECPATH:
330		len = sizeof(u8);
331		break;
332#endif
333	default:
334		return -EOPNOTSUPP;
335	}
336
337	priv->dreg = nft_parse_register(tb[NFTA_META_DREG]);
338	return nft_validate_register_store(ctx, priv->dreg, NULL,
339					   NFT_DATA_VALUE, len);
340}
341EXPORT_SYMBOL_GPL(nft_meta_get_init);
342
343static int nft_meta_get_validate(const struct nft_ctx *ctx,
344				 const struct nft_expr *expr,
345				 const struct nft_data **data)
346{
347#ifdef CONFIG_XFRM
348	const struct nft_meta *priv = nft_expr_priv(expr);
349	unsigned int hooks;
350
351	if (priv->key != NFT_META_SECPATH)
352		return 0;
353
354	switch (ctx->family) {
355	case NFPROTO_NETDEV:
356		hooks = 1 << NF_NETDEV_INGRESS;
357		break;
358	case NFPROTO_IPV4:
359	case NFPROTO_IPV6:
360	case NFPROTO_INET:
361		hooks = (1 << NF_INET_PRE_ROUTING) |
362			(1 << NF_INET_LOCAL_IN) |
363			(1 << NF_INET_FORWARD);
364		break;
365	default:
366		return -EOPNOTSUPP;
367	}
368
369	return nft_chain_validate_hooks(ctx->chain, hooks);
370#else
371	return 0;
372#endif
373}
374
375int nft_meta_set_validate(const struct nft_ctx *ctx,
376			  const struct nft_expr *expr,
377			  const struct nft_data **data)
378{
379	struct nft_meta *priv = nft_expr_priv(expr);
380	unsigned int hooks;
381
382	if (priv->key != NFT_META_PKTTYPE)
383		return 0;
384
385	switch (ctx->family) {
386	case NFPROTO_BRIDGE:
387		hooks = 1 << NF_BR_PRE_ROUTING;
388		break;
389	case NFPROTO_NETDEV:
390		hooks = 1 << NF_NETDEV_INGRESS;
391		break;
392	case NFPROTO_IPV4:
393	case NFPROTO_IPV6:
394	case NFPROTO_INET:
395		hooks = 1 << NF_INET_PRE_ROUTING;
396		break;
397	default:
398		return -EOPNOTSUPP;
399	}
400
401	return nft_chain_validate_hooks(ctx->chain, hooks);
402}
403EXPORT_SYMBOL_GPL(nft_meta_set_validate);
404
405int nft_meta_set_init(const struct nft_ctx *ctx,
406		      const struct nft_expr *expr,
407		      const struct nlattr * const tb[])
408{
409	struct nft_meta *priv = nft_expr_priv(expr);
410	unsigned int len;
411	int err;
412
413	priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
414	switch (priv->key) {
415	case NFT_META_MARK:
416	case NFT_META_PRIORITY:
417#ifdef CONFIG_NETWORK_SECMARK
418	case NFT_META_SECMARK:
419#endif
420		len = sizeof(u32);
421		break;
422	case NFT_META_NFTRACE:
423		len = sizeof(u8);
424		break;
425	case NFT_META_PKTTYPE:
426		len = sizeof(u8);
427		break;
428	default:
429		return -EOPNOTSUPP;
430	}
431
432	priv->sreg = nft_parse_register(tb[NFTA_META_SREG]);
433	err = nft_validate_register_load(priv->sreg, len);
434	if (err < 0)
435		return err;
436
437	if (priv->key == NFT_META_NFTRACE)
438		static_branch_inc(&nft_trace_enabled);
439
440	return 0;
441}
442EXPORT_SYMBOL_GPL(nft_meta_set_init);
443
444int nft_meta_get_dump(struct sk_buff *skb,
445		      const struct nft_expr *expr)
446{
447	const struct nft_meta *priv = nft_expr_priv(expr);
448
449	if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
450		goto nla_put_failure;
451	if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg))
452		goto nla_put_failure;
453	return 0;
454
455nla_put_failure:
456	return -1;
457}
458EXPORT_SYMBOL_GPL(nft_meta_get_dump);
459
460int nft_meta_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
461{
462	const struct nft_meta *priv = nft_expr_priv(expr);
463
464	if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
465		goto nla_put_failure;
466	if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg))
467		goto nla_put_failure;
468
469	return 0;
470
471nla_put_failure:
472	return -1;
473}
474EXPORT_SYMBOL_GPL(nft_meta_set_dump);
475
476void nft_meta_set_destroy(const struct nft_ctx *ctx,
477			  const struct nft_expr *expr)
478{
479	const struct nft_meta *priv = nft_expr_priv(expr);
480
481	if (priv->key == NFT_META_NFTRACE)
482		static_branch_dec(&nft_trace_enabled);
483}
484EXPORT_SYMBOL_GPL(nft_meta_set_destroy);
485
486static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
487				struct nft_flow_rule *flow,
488				const struct nft_expr *expr)
489{
490	const struct nft_meta *priv = nft_expr_priv(expr);
491	struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
492
493	switch (priv->key) {
494	case NFT_META_PROTOCOL:
495		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto,
496				  sizeof(__u16), reg);
497		nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
498		break;
499	case NFT_META_L4PROTO:
500		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
501				  sizeof(__u8), reg);
502		nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
503		break;
504	default:
505		return -EOPNOTSUPP;
506	}
507
508	return 0;
509}
510
511static const struct nft_expr_ops nft_meta_get_ops = {
512	.type		= &nft_meta_type,
513	.size		= NFT_EXPR_SIZE(sizeof(struct nft_meta)),
514	.eval		= nft_meta_get_eval,
515	.init		= nft_meta_get_init,
516	.dump		= nft_meta_get_dump,
517	.validate	= nft_meta_get_validate,
518	.offload	= nft_meta_get_offload,
519};
520
521static const struct nft_expr_ops nft_meta_set_ops = {
522	.type		= &nft_meta_type,
523	.size		= NFT_EXPR_SIZE(sizeof(struct nft_meta)),
524	.eval		= nft_meta_set_eval,
525	.init		= nft_meta_set_init,
526	.destroy	= nft_meta_set_destroy,
527	.dump		= nft_meta_set_dump,
528	.validate	= nft_meta_set_validate,
529};
530
531static const struct nft_expr_ops *
532nft_meta_select_ops(const struct nft_ctx *ctx,
533		    const struct nlattr * const tb[])
534{
535	if (tb[NFTA_META_KEY] == NULL)
536		return ERR_PTR(-EINVAL);
537
538	if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
539		return ERR_PTR(-EINVAL);
540
541#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META)
542	if (ctx->family == NFPROTO_BRIDGE)
543		return ERR_PTR(-EAGAIN);
544#endif
545	if (tb[NFTA_META_DREG])
546		return &nft_meta_get_ops;
547
548	if (tb[NFTA_META_SREG])
549		return &nft_meta_set_ops;
550
551	return ERR_PTR(-EINVAL);
552}
553
554struct nft_expr_type nft_meta_type __read_mostly = {
555	.name		= "meta",
556	.select_ops	= nft_meta_select_ops,
557	.policy		= nft_meta_policy,
558	.maxattr	= NFTA_META_MAX,
559	.owner		= THIS_MODULE,
560};
561
562#ifdef CONFIG_NETWORK_SECMARK
563struct nft_secmark {
564	u32 secid;
565	char *ctx;
566};
567
568static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
569	[NFTA_SECMARK_CTX]     = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN },
570};
571
572static int nft_secmark_compute_secid(struct nft_secmark *priv)
573{
574	u32 tmp_secid = 0;
575	int err;
576
577	err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
578	if (err)
579		return err;
580
581	if (!tmp_secid)
582		return -ENOENT;
583
584	err = security_secmark_relabel_packet(tmp_secid);
585	if (err)
586		return err;
587
588	priv->secid = tmp_secid;
589	return 0;
590}
591
592static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs,
593				 const struct nft_pktinfo *pkt)
594{
595	const struct nft_secmark *priv = nft_obj_data(obj);
596	struct sk_buff *skb = pkt->skb;
597
598	skb->secmark = priv->secid;
599}
600
601static int nft_secmark_obj_init(const struct nft_ctx *ctx,
602				const struct nlattr * const tb[],
603				struct nft_object *obj)
604{
605	struct nft_secmark *priv = nft_obj_data(obj);
606	int err;
607
608	if (tb[NFTA_SECMARK_CTX] == NULL)
609		return -EINVAL;
610
611	priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
612	if (!priv->ctx)
613		return -ENOMEM;
614
615	err = nft_secmark_compute_secid(priv);
616	if (err) {
617		kfree(priv->ctx);
618		return err;
619	}
620
621	security_secmark_refcount_inc();
622
623	return 0;
624}
625
626static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj,
627				bool reset)
628{
629	struct nft_secmark *priv = nft_obj_data(obj);
630	int err;
631
632	if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx))
633		return -1;
634
635	if (reset) {
636		err = nft_secmark_compute_secid(priv);
637		if (err)
638			return err;
639	}
640
641	return 0;
642}
643
644static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
645{
646	struct nft_secmark *priv = nft_obj_data(obj);
647
648	security_secmark_refcount_dec();
649
650	kfree(priv->ctx);
651}
652
653static const struct nft_object_ops nft_secmark_obj_ops = {
654	.type		= &nft_secmark_obj_type,
655	.size		= sizeof(struct nft_secmark),
656	.init		= nft_secmark_obj_init,
657	.eval		= nft_secmark_obj_eval,
658	.dump		= nft_secmark_obj_dump,
659	.destroy	= nft_secmark_obj_destroy,
660};
661struct nft_object_type nft_secmark_obj_type __read_mostly = {
662	.type		= NFT_OBJECT_SECMARK,
663	.ops		= &nft_secmark_obj_ops,
664	.maxattr	= NFTA_SECMARK_MAX,
665	.policy		= nft_secmark_policy,
666	.owner		= THIS_MODULE,
667};
668#endif /* CONFIG_NETWORK_SECMARK */
Configure Feed

Configure Feed
